- Mar 14, 2019
- 16 min read

SURGEONS GET KNIFED IN THE BACK

This week, Health Care Institutions breached, Surgery stalls as US surgeons pay cyber ransom, Canadian Universities come under attack, a UK charity is breached, and Healthcare gets hit hard by hackers.

This Weeks Top Dark Web Compromises*:

Top Source Hits: ID Theft Forums (99%) Top Compromise Type: Domain (99%) Top Industry: Manufacturing Top Employee Count: 11 - 50 Employees

This Week’s Top Targeted Industries*:

Software Hits: 216 | Targets: Citrix Systems, Twitter, Microsoft, GitHub, Houzz

Information Technology Hits: 204 | Targets: Citrix Systems, Twitter, Microsoft, Apple, Google

Software Hits: 133 | Targets: Citrix Systems, Armor Games, KMD, McAfee, ESET Corporation

Finance Hits: 40 | Targets: Equifax Inc, PayPal, Wells Fargo, Coinbase, Cigna Corp.

Internet Hits: 40 | Targets: Twitter, Facebook, LinkedIn, Amazon, Dynamic Network Services, Inc (Dyn)

This Week’s Top Threat Actors*:

Hezbollah Hits: 50 | Targets: Israel, Syria, Lebanon, Iran, United States

United Cyber Caliphate Hits: 35 | Targets: United States, Malaysia Airlines Flight 370, Malaysia Airlines, Newsweek, United States Central Command

Inj3ct0r Team Hits: 24 | Targets: WordPress, Joomla, Twitter, Apache HTTP Server, SCADA and ICS Products and Technologies

IRIDIUM (APT Group) Hits: 22 | Targets: Citrix Systems, United Kingdom, Parliament of the United Kingdom of Great Britain and Northern Ireland, United States, Australia

Lazarus Group Hits: 21 | Targets: Sony Corp, South Korea, Cryptocurrency, United States, Poland

This Week’s Top Malware Compromises*:

Stuxnet Hits: 56 | Targets: Iran, North Korea, Industrial Control Systems, SCADA and ICS Products and Technologies, United States

Ursnif Hits: 54 | Targets: Japan, Banking, Italy, United Kingdom, Bulgaria

Yatron Hits: 32 | Targets: Twitter, Peer To Peer

ETERNALBLUE Hits: 32 | Targets: Microsoft Windows, Microsoft Windows 10, Server Message Block , Microsoft Windows 8, Microsoft Windows 7

PirateMatryoshka Hits: 27 | Targets: The Pirate Bay, #PirateBay

In Other News:

***Cyber Criminals give Surgeons the knife*:***

Physician owners at Columbia Surgical Specialists paid hackers more than $14,000 to regain access to patient data in January, according to a notice from the medical practice posted on Thursday. Spokane, Washington based Columbia Surgical Specialists said it learned of the ransomware attack Jan. 9, a few hours before several patients were scheduled for surgery. The encrypted files and systems at Columbia Surgical Specialists included protected health information such as patient names and Social Security numbers. "They made it clear we would not have access to patient information until we paid a fee," the notice said of the hackers. "We quickly determined that the health and well-being of our patients was the number one concern, and when we made the payment they gave us the decryption key so we could immediately proceed unlocking the data." Columbia Surgical Specialists said the ransom was paid by the practice's physician owners and will not be passed on to patients. Cybersecurity experts, including the Federal Bureau of Investigation, have traditionally discouraged organizations from paying ransoms, arguing that complying with these demands incentivizes cybercriminals. In some cases, hackers have refused to provide an organization with a decryption key, even after receiving a ransom payment. Columbia Surgical Specialists reported up to 400,000 patients were affected in the incident to the HHS' Office for Civil Rights, which maintains the government's database of healthcare data breaches, Feb. 18. The practice said an external forensic review has since determined that the "actual number of potentially affected patients is substantially smaller." The practice's IT security provider, Intrinium, said that although data on up to 400,000 patients was encrypted, it is unlikely the hackers obtained any protected health information. However, Columbia Surgical Specialists said it still plans to notify all patients whose data was encrypted in the ransomware attack. "It is the company's belief based on available information that certain files were simply corrupted with unauthorized encryption measures to prevent the company's temporary use or access of that data," the practice's notice reads. "We believe the information was locked, but not obtained, by the perpetrators." The ransomware attack at Columbia Surgical Specialists represents the second largest incident posted to the OCR's breach portal so far in 2019. UW Medicine in Seattle reported the largest breach yet this year on Feb. 20, disclosing a website vulnerability that affected the protected health information of an estimated 974,000 patients.

***Kathmandu Outdoor Retailer penetrated*:***

Outdoor-gear retailer Kathmandu has only “very recently” become aware of a hack which may have leaked the personal and payment information of its customers over a month ago. Kathmandu said this morning it suffered a security breach between January 8 and February 12 where an unidentified third party gained access to the Kathmandu website platform, gaining access to details customers enter at checkout. A spokesperson for the retailer said it became aware of the hack “very recently” but would not go into further detail when asked. In a statement circulated through the ASX (Australian Stock Exchange) on Wednesday, the retailer admitted it still hasn’t confirmed which of its customers have been affected but is notifying potential victims. “Whilst the independent forensic investigation is ongoing, we are notifying customers and relevant authorities as soon as practicable,” chief executive Xavier Simonet said in a statement posted to the ASX. An investigation involving “leading external IT and cybersecurity consultants” is underway, but the retailer said its wider IT environment, which includes all Kathmandu physical stores, was not affected by the breach. Kathmandu is just the latest retailer to admit to leaking customer information in the last 12 months. Globally, brands such as Macy’s, Adidas, Sears, Kmart (US), Best Buy, Saks Fifth Avenue, Under Armour, Forever 21, Whole Foods and EB Games owner Gamestop all admitted to data breaches in 2018. In Australia, Woolworths’ Big W gave away customer details last year in an apparent printer mishap. In recent years, hackers have targeted retail companies as lucrative sources of up-to-date consumer information, which experts say is then used to target people with various scams.

Serious Crypto Flaw Affects Swiss, Australian E-Voting Systems*

A critical crypto-related vulnerability that can be exploited to manipulate votes without being detected has been found to impact e-voting systems in Switzerland and Australia. The Swiss government, specifically the Swiss Post national postal service, announced last month the launch of a public bug bounty program for its electronic voting systems, with rewards of up to $50,000. Switzerland has been conducting e-voting trials since 2004 and Swiss Post believes it has now developed a fully verifiable system that can make e-voting widely available in the country. While the organization has contracted a third-party to test the security of the new e-voting system, it has also decided to launch a public bug bounty program. The project will run until March 24 and over 3,000 hackers from around the world have signed up. A team of researchers calling itself setuid(0) has identified a significant number of vulnerabilities in the code, but Swiss Post has mostly classified them as “low risk.” Shortly after Swiss Post announced the bug bounty program, cryptography experts Sarah Jamie Lewis and Matthew Green pointed out that there were some potentially serious issues in the cryptographic functions. On Tuesday, Lewis, along with researchers Olivier Pereira and Vanessa Teague, disclosed the details of a serious crypto-related issue that they claim can be exploited for “undetectable vote manipulation.” The same vulnerability was also independently discovered by two other researchers. The vulnerability is present in functionality whose role is to ensure that anyone can verify the correctness of an election. The concept of “universal verifiability” guarantees that votes have not been tampered with even if all server-side components have been compromised. The Swiss voting system relies on “complete verifiability,” which offers the same guarantees as long as at least one server-side component has not been compromised. However, researchers found that this e-voting system fails to ensure complete verifiability. “In the Swiss Post system, encrypted electronic votes need to be shuffled to protect individual vote privacy. Each server who shuffles votes is supposed to prove that the set of input votes it received corresponds exactly to the differently-encrypted votes it output. This is intended to provide an electronic equivalent of the publicly observable use of a ballot box or glass urn,” the researchers explained. The problem, according to the experts, is that this shuffling process relies on a cryptographic primitive known as a trapdoor commitment scheme, which allows anyone who knows the trapdoor values to alter votes without leaving any trace. Exploitation of this vulnerability is not an easy task as it requires deep access to the e-voting system and expert knowledge. Swiss Post, which highlighted that the flaw does not allow malicious actors to infiltrate voting systems, stated that the weakness can only be exploited by someone who has control over its IT infrastructure and even then they would need assistance from insiders. However, Lewis, who is the executive director of a privacy-focused non-profit called Open Privacy, pointed out on Twitter that the goal of their research is not to show that someone from the outside can tamper with elections, but that Swiss Post itself can modify votes without leaving a trace. “This isn't ‘some random hacker can steal an election,’ this is ‘Swiss Post can prove they didn't steal an election, even if they did’,” she explained.

It has been revealed that the same voting system made by Scytl is also used in the Australian state of New South Wales. The NSW Electoral Commission has also downplayed the risk, arguing that the machine that would need to be targeted in an attack is air-gapped. “In order for this weakness to be an issue, a person would need to gain access to the physical machine. They would need all the right credentials and the right code to alter the software,” a spokesperson for the NSW Electoral Commission stated. “Our processes reduce this risk as we specifically separate the duties of people on the team and control access to the machine to reduce the potential for an insider attack. Scytl is delivering a patch which will be tested and implemented shortly to address this matter.”

***Tax Return Credentials stolen after passwords accessed on the Dark Web*.***

A group of hackers were able to access tax return credentials from TurboTax by using a list of stolen passwords on the Dark Web. Although only one TurboTax user in Vermont was victimized, the hack was possible due to a credential stuffing attack, the act of a hacker automating login attempts by using millions of previous login/password combinations. The victim was able to break through via an easily guessed password that was used in multiple accounts. The tale here is to use unique, complex passwords for all your logins and set up two-factor authentication when possible.

***Healthcare Security Statistics released*.***

HIPAA and Healthcare security statistics for 2018 have been released in Bitglass’s Healthcare Breach Report and here are need-to-know stats as reported:

· There were 290 known healthcare breaches.

· The number of exposed records nearly doubled from 2017.

· 46% of victims of healthcare breaches in 2018 were from hacking and IT incidents.

· The number of breaches from lost/stolen devices fell by nearly 70% since 2014.

· Nearly 40,000 people were affected per breach, more than double the amount in 2017.

· 36% of healthcare data breaches in 2018 were fault of unauthorized access of PHI (Protected Health Information).

Phishing attacks on the rise*.

More statistics from 2018 emerged about the rise of SSL (Secure Sockets Layer)-based phishing attacks. According to the 2019 Cloud Security Insights Threat Report, there was an increase of over 400% in phishing attempts over 2017 results, a total of 2.7 million attacks. Another report by Trend Micro revealed they had blocked 269 million fake URLs from phishing attacks last year, which was a 269% increase over 2017.

THREAT FOCUS: Columbia Surgical Specialists – USA*

Exploit: Ransomware attack Columbia Surgical Specialists: Surgical facility in Spokane, Washington

Customers Impacted: To be determined

Risk to Small Business: 2.111 = Severe: Columbia Surgical Specialists decided to pay almost $15,000 in ransom to unlock files that were encrypted by hackers. After originally discovering the incident on January 9th, the firm hired an outside security firm to mitigate the aftereffects of the attack. Initially it was believed that 400,000 patients could have been affected, but the number has since then been reduced. Columbia Surgical Specialists explained that their delay in reporting was due to the time needed to analyze information surrounding the breach, and they do not believe that the attackers were able to access patient data.

Individual Risk: 2.428 = Severe: Names, drivers’ license numbers, SSNs, and protected health information was impacted in the ransomware attack. However, the outside security firm believes that it is unlikely that the data was exposed in the incident.

Effect on Customers: Ransomware is a sticky subject for businesses and can resemble a virtual hostage situation. In the event of an attack, security experts recommend not paying ransoms to hackers, since it incentivizes future exploits and can result in greater demands. To prevent such exploits from occurring in the first place, organizations must partner up with managed security providers.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.

THREAT FOCUS: Dun & Bradstreet – USA*

Exploit: Trojan spam campaign Dun & Bradstreet: Business analytics company based in New Jersey

Customers Impacted: To be disclosed

Risk to Small Business: 2.555 = Moderate: Emails identified as spam were found attempting to impersonate Dun & Bradstreet’s official website using a lookalike domain. These “complaint” emails contained macros that deliver Trickbot, a damaging trojan that can be leveraged by hackers against banks. However, security researchers were able to uncover the campaign and users have been advised to disable macros from automatically opening in the Word application or open their emails in protected view.

Individual Risk: 2.571 = Moderate: If users avoid opening spam emails and attachments, there is limited risk involved. Nevertheless, if the Trickbot trojan installs itself on a computer containing valuable files, all bets are off.

Effect On Customers: Phishing campaigns are not only growing in sophistication, but also their potential impact. Enhancing cybersecurity efforts at your company begins with the first-line of defence: your employees. To protect invaluable assets and customer data, businesses must improve cybersecurity awareness and prepare their workforce for inevitable phishing attacks.

Risk Levels: 1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk

*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.

THREAT FOCUS: Grinnell, Oberlin and Hamilton Colleges – USA*

Exploit: System breaches and ransom schemes Grinell, Oberlin and Hamilton Colleges: Three private colleges across the US

Customers Impacted: To be determined

Risk to Small Business: 2.333 = Severe: College applicants across Grinnell, Oberlin, and Hamilton are receiving ransom notes from hackers who claim to have access to their files. The only common thread that the three colleges share is a third-party data system known as Slate, which helps track applicant data, but security experts do not believe the company was at fault. Information that was allegedly hacked included personal information, along with notes from admissions officers and acceptance decisions. Although two of the colleges have stated that financial information was encrypted and not exposed, all three will likely face reputational damages and a downtrend in applications.

Individual Risk: 2.428 = Severe: If the hackers are unable to generate profit from the ransom schemes, they will most likely turn to the Dark Web or orchestrate identity theft themselves. Applicants are at high risk unless authorities can pinpoint and mitigate the source of the breach.

Effect On Customers: As the higher education vertical continues to grow more competitive for students, such a breach can be crippling for any institution. News of college applicants being hacked can cause serious concerns for prospective students and even result in turnover amongst current ones. To draw the parallel to small business, having a lead generation system breached can be similarly catastrophic to any company. The first step to containing such an incident should be to understand whether hackers truly have access to customer data, and whether they are trying to sell it. One way to accomplish this is to proactively monitor the Dark Web for stolen customer data.

THREAT FOCUS: Rush University Medical Centre – USA*

Exploit: Third-party breach Rush University Medical Center: Academic medical center in Chicago, Illinois.

Customers Impacted: 45,000

Risk to Small Business: 1.555 = Severe: After unearthing a massive data breach on January 22nd, the hospital revoked its contract with an IT vendor and launched an investigation. Patients whose data was compromised were notified, but Rush maintains that the data was not misused after the incident. Although the institution has offered one-year identity protection and breach helplines, this is the second security incident that Rush has suffered within the last year, causing patients and caregivers to reconsider their selection in care providers.

Individual Risk: 2.142 = Severe: According to a financial filing by the medical center, compromised data included names, addresses, birthdays, SSNs, health insurance information, and even medical data. Patients should enroll in identity protection immediately and continue to monitor their accounts for fraudulent activity.

Effect on Customers: Back-to-back breaches produce adverse effects on customer retention, and this is especially true in healthcare. As patients grow increasingly cyber-vigilant, it is only a matter of time until they will evaluate security when choosing their care providers. By partnering with the right MSPs, businesses can avoid breaches while building rapport with their customers.

THREAT FOCUS: Emerson Hospital – USA*

Exploit: Third-party breach Emerson Hospital: Academic medical center in Chicago, Illinois. Customers Impacted: 6,300 patients.

Risk to Small Business: 1.777 = Severe: In a statement that was released two weeks ago, the hospital announced that it had fallen victim to breach. A third-party vendor known as MiraMed Global Services sent electronic files containing patient information to an unauthorized entity. After conducting a forensic investigation, the hospital explained to patients in a letter that medical conditions, treatments, and credit card numbers were not exposed. Additionally, the third-party employee responsible was fired and law enforcement was contacted.

Individual Risk: 2.571 = Moderate: Personal information including names, addresses, SSNs, and insurance policy numbers were disclosed, but Emerson stated that “the files were of such poor quality that a third-party did not find the data useful.” Regardless, some risk is involved and patients should enrole in the free two-year membership to identity protection services that is being offered.

Effect on Customers: When it comes to communicating with your audience, whether that be customers or patients, the end-goal is the same. Companies must build trust. In order to preserve relationships after a breach incident, it is paramount that the facts are right, and corrective actions have been taken. Emerson was able to effectively take responsibility while demonstrating their commitment to their service to patients by promptly launching an investigation and asking for the responsible third-party employee to be fired.

THREAT FOCUS: Canadian Universities – CANADA*

Exploit: State-sponsored spyware phishing campaign Canadian Universities: Groups of universities across Canada Customers Impacted: To be determined.

Risk to Small Business: 1.555 = Severe: Chinese hackers are targeting 27 universities across Canada, United States, and Southeast Asia to uncover maritime technology that can be developed for military use. According to the report from Wall Street Journal, the campaign dates back to April 2017. Along with having confidential research exposed and garnering bad publicity, the affected institutions will be forced to fortify their cybersecurity efforts to the tune of millions of dollars.

Individual Risk: 3 = Moderate: Researchers that were involved in the naval technology department of their respective universities may have been affected, but there is no evidence that personal information was targeted.

Effect On Customers: Recent cyber-attacks are shining a bright spotlight on organizations in the higher education space, since they have historically harboured invaluable information with limited firewalls. Companies that are storing proprietary data must prioritize training for their employees or faculty to avoid walking into the crosshairs of hackers. By creating a culture that is focused on cybersecurity protection and awareness, organizations can sidestep malicious phishing attacks that are entirely preventable.

1 - 1.5 = Extreme Risk 1.51 - 2.49 = Severe Risk 2.5 - 3 = Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.

THREAT FOCUS: The Institute Of Statecraft – UNITED KINGDOM*

Exploit: To be determined The Institute for Statecraft: Charity established to counter Russian disinformation Exploit: To be determined.

Risk to Small Business: 2 = Severe: The UK charity that received government funding to combat Russian disinformation was hacked and is now being investigated by the National Crime Agency (NCA). All website content was temporarily removed from the site, but the organization plans to relaunch shortly.

Individual Risk: 2.714 = Moderate: Although there is no evidence that the personal information of individuals was directly impacted, this type of hack has many implications for the public. Citizens must avoid falling prey to disinformation by validating sources and staying cyber-vigilant.

Effect On Customers: Organizations that operate in the non-profit sector are not exempt from data breaches. As hackers begin to turn their sights toward information that is the most valuable and least protected, IT security teams must understand the gravity of leaving data exposed.

THREAT FOCUS: Talk Talk – UNITED KINGDOM*

Exploit: Dormant e-mail account hack Talk Talk: Internet service provider in the UK.

Customers Impacted: One known customer.

Risk to Small Business: 2.222 = Severe: After keeping a former customer’s email address open for 8 years, TalkTalk is taking heat for a brute-force login attack to her account. Spammers were able to crack the account password and harvest contacts from an address book, using them in personalized phishing campaigns. Upon receiving notifications of headline coverage, a company spokesperson finally announced that they had deleted the email address. News readers may take notice and shift their business elsewhere.

Individual Risk: 2.428 = Moderate: Although most personal information was not included, data from contact lists can still be manipulated in social engineering attacks. Other former customers who had accounts with the company should also reach out to have their accounts deleted.

Effect On Customers: Aside from following proper data governance policies and deleting data from former accounts, companies must establish anti-phishing protocols. Businesses must protect their customer data by enlisting the help of security providers who have access to the latest and leading solutions on the market.

POSTSCRIPT:

Dark Web 101: Small Business Edition*

In the past, being a small business was enough to divert hackers from targeting your company. However, cyber criminals have discovered ways to generate profit from compromised data, many times through the Dark Web. Many small business owners are beginning to ramp up their cybersecurity efforts, but the Dark Web remains an elusive concept for most. In some ways, the Dark Web is exactly what it sounds like: an anonymous network of websites and forums where stolen information is put up for sale. How do organizations protect themselves and their customers from ending up on the Dark Web? By employing advanced monitoring tools through security providers and creating security training programs to foster a culture of cybersecurity education and awareness.

* Disclaimer: Avantia Corporate Services Pty Ltd and Avantia Cyber Security provides the content in this publication to the reader for general information purposes only and has compiled the content from a number of sources in Australia, the USA, and up to 56 other countries who provide cyber breach information to us in real time. Given their international focus and experience in the cyberspace arena we believe their data to be accurate and reliable, however, we give no warranty (implied or otherwise), as to the contents accuracy or fitness for use. No validation or investigation has been performed by Avantia Corporate Services or the Author as to its accuracy or reliability. Readers should conduct their own investigation and come to their own conclusions.

Available Shortly in conjunction with iCollege - Australia's leading On Line Vocation Education Provider

Cognitive Skills learning from 'Basic' to 'Advanced' with content from International Experts who train Defence Forces, Intelligence Agencies, Police and Major Corporations providing "Job Ready" graduates.

Basic Network Research (40 Hours)

Windows Forensics (40 Hours)

Advanced SIEM/SOC (40 Hours)